I’d also appreciate help with this, for various forms of keys. It’s theoretically possible to distribute a chef encryption key out of band, and use unique keys for unique hosts or classes of hosts, but managing it gets burdensome very quickly when you have more than a few hosts or a few classes of environment.

I’d also appreciate help with this, for various forms of keys. It’s
theoretically possible to distribute a chef encryption key out of band, and
use unique keys for unique hosts or classes of hosts, but managing it gets
burdensome very quickly when you have more than a few hosts or a few
classes of environment.

I was referring more to MySQL database password. This especially applies to MySQL modules in various web servers and backup systems for databases: these tend to rely on passwords stored locally in clear text, but I certainly don’t want them in my role or environment attributes in clear text.

I’ve done this with actual chef servers, but am only learning ‘chef-solo’ now. I’d welcome a walkthrough or insights.

If I’m missing the point of the question, or if you don’t know where to get started with IAM roles, then please feel free to follow-up.

Cheers,

Peter

On Wed, Dec 17, 2014 at 10:14 AM, Nico Kadel-Garcia <nkadel@skyhookwireless.commailto:nkadel@skyhookwireless.com> wrote:
I’d also appreciate help with this, for various forms of keys. It’s theoretically possible to distribute a chef encryption key out of band, and use unique keys for unique hosts or classes of hosts, but managing it gets burdensome very quickly when you have more than a few hosts or a few classes of environment.

I was referring more to MySQL database password. This especially applies to MySQL modules in various web servers and backup systems for databases: these tend to rely on passwords stored locally in clear text, but I certainly don’t want them in my role or environment attributes in clear text.

I’ve done this with actual chef servers, but am only learning ‘chef-solo’ now. I’d welcome a walkthrough or insights.

I’ve taken a look at the various solutions. None of them work: many are dependent on an available chef server to hold encrypted data, unlocked by a local key, and I’m using chef-solo extensively, not a chef-server/chef-client setup. Also, frankly, many cookbooks such as the “nagios” and “mysql” and “users” cookbooks have no structure in place for managing encrypted data that must be stored on individual nodes in locally unencrypted format, such as MySQL passwords, Nagios stored credentials for remote service checks, or private SSH keys.

It’s possible to write individual customized wrapper cookbooks for each of these, but it’s awkward and fragile to have to keep wrapping this material. And if you use a git or other source control for such information, it means that anyone who has access to that repository has the relevant passwords or private keys unless you ignore the built-in tools and write your own wrappers or updates to fix this. This is especially true for SSH private keys for individual accounts in the “users” cookbook, and for initial “root” access for MySQL, Postgresql, and other databases.

I was referring more to MySQL database password. This especially applies to
MySQL modules in various web servers and backup systems for databases: these
tend to rely on passwords stored locally in clear text, but I certainly don’t want
them in my role or environment attributes in clear text.

I’ve done this with actual chef servers, but am only learning ‘chef-solo’ now.
I’d welcome a walkthrough or insights.

I’ve taken a look at the various solutions. None of them work: many are
dependent on an available chef server to hold encrypted data, unlocked by a
local key, and I’m using chef-solo extensively, not a
chef-server/chef-client setup. Also, frankly, many cookbooks such as the
"nagios" and “mysql” and “users” cookbooks have no structure in place for
managing encrypted data that must be stored on individual nodes in locally
unencrypted format, such as MySQL passwords, Nagios stored credentials for
remote service checks, or private SSH keys.

It’s possible to write individual customized wrapper cookbooks for each of
these, but it’s awkward and fragile to have to keep wrapping this material.
And if you use a git or other source control for such information, it means
that anyone who has access to that repository has the relevant passwords or
private keys unless you ignore the built-in tools and write your own
wrappers or updates to fix this. This is especially true for SSH private
keys for individual accounts in the “users” cookbook, and for initial
"root" access for MySQL, Postgresql, and other databases.

I was referring more to MySQL database password. This especially
applies to
MySQL modules in various web servers and backup systems for databases:
these
tend to rely on passwords stored locally in clear text, but I certainly
don’t want
them in my role or environment attributes in clear text.

I’ve done this with actual chef servers, but am only learning
’chef-solo’ now.
I’d welcome a walkthrough or insights.